Sponsored Ads

The Web Security Mailing List

"Two weeks ago, when security researcher Dan Kaminsky announced a
devastating flaw in the internet's address lookup system, he took the
unusual step of admonishing his peers not to publicly speculate on the
specifics. The concern, he said, was that online discussions about how
the vulnerability worked could teach black hat hackers how to exploit
it before overlords of the domain name system had a chance to fix it.

That hasn't stopped researcher Halvar Flake from posting a
hypothesis that several researchers say is highly plausible. It
describes a simple method for tampering with DNS name servers that get
queried when a user tries to visit a specific website. As a result,
attackers would redirect someone trying to visit a site such as
bankofamerica.com to an impostor site that steals their credentials."
The Register

"It would also demonstrate the difficulty researchers like Kaminsky
face in trying to keep the specifics of a vulnerability quiet. While
Flake is highly respected in security circles, he admits his knowledge
of DNS is limited. He had to spend time reading a "DNS-for-dummies"
text to get up to speed.

If a few weeks was enough for him to come up with an attack
scenario, plenty of less scrupulous hackers almost certainly will be
able to do the same thing, calling into question whether it's realistic
to limit vulnerability disclosure in the way Kaminsky has proposed.

"It's the universal opinion of the research community that
it's not a reasonable request," said Thomas Ptacek, a researcher at
Matasano who is critical of the admonition against other researchers publicly discussing the flaw.
Ptacek and several other researchers have received a briefing from
Kaminsky in exchange for a promise not to discuss it publicly, a
condition he says is perfectly OK." TheReg